Rigorous requirements covering collection of employee and customer information will take effect early next year under a new state law designed to prevent breaches and protect the Massachusetts residents from identity theft.
John Moynihan, a former state data security protection officer, told my networking group recently that fines under the law will run up to $5,000 per record for breaches. So the loss of 200 records equals $1 million in fines.
The law requires people and companies that collect and work with confidential data such as credit card info or Social Security numbers to have security plans in place, according to Moynihan. It covers every employee in a position to access data and places requirements for data protection and encryption not only on computers but on mobile devices.
Even a vendor who handles personal data collected by a client has to get a written assurance from that client that they are in compliance with a security plan in place.
Companies need not be Massachusetts based to fall under the law. Thus a bank or credit card company out of state has to be responsible if they have any personal data on Massachusetts residents.
The law is considered a groundbreaker, Moynihan said, and so the rush is on in Congress to use it as a model for national legislation. This way data collectors don’t have a patchwork of regulation to deal with in the various states.
This is good for consumers and tricky for businesses and organizations. Those of you taking credit cards online or in person will want to make sure your processors are in compliance.
The business networking group to which I belong, Community Business Associates, was fortunate to be out front on hearing about this issue. Several area chambers of commerce are running larger programs soon on compliance with the statute. It would be a good idea for your group or company to find out all you can. The law is effective in March 2010.
John Moynihan is managing director of Minuteman Governance Inc., a Hopkinton consultancy that provides information security services throughout the public and private sectors. Prior to founding Minuteman, John was information security officer for the Massachusetts Department of Revenue, where he was responsible for the agency's information security and internal audit functions.
In response to a question, he warned our group that several contractors with dubious (my word) credentials have appeared claiming to be able to make businesses and organizations compliant with the law. For more information on the requirements, visit http://www.minutemangovernance.com/
For insights on credible communication, visit www.datzmedia.com
Wednesday, September 30, 2009
Subscribe to:
Posts (Atom)